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Abstract — In this paper, we investigate how constraints on the 
randomization in the encoding process affect the secrecy rates 
achievable over wiretap channels. In particular, we characterize 
the secrecy capacity with a rate-limited local source of random- 
ness and a less capable eavesdropper's channel, which shows that 
limited rate incurs a secrecy rate penalty but does not preclude 
secrecy. We also discuss a more practical aspect of rate-limited 
randomization in the context of cooperative jamming. Finally, we 
show that secure communication is possible with a non-uniform 
source for randomness; this suggests the possibility of designing 
robust coding schemes. 

I. Introduction 

The wiretap channel model (TJ, has attracted much 
attention in recent years because of its potential to strengthen 
the security of communication systems (3), 0J, Although this 
model provides a convenient abstraction to design codes for 
secure communication (see and reference therein), it relies 
on two implicit simplifying assumptions. First, the model 
assumes that the transmitter knows the statistics of the channel. 
Second, the model assumes that the transmitter has access 
to an arbitrary local source of randomness, whose statistics 
can be optimized as part of the code design. In practice, 
however, these assumptions are unlikely to be perfectly guar- 
anteed. For instance, an eavesdropper has little incentive to 
help characterize the channel statistics and, realistically, the 
legitimate parties may only have approximate knowledge of 
the true statistics. Similarly, the statistics of the local source 
of randomness may be imperfectly known, or the source may 
only provide a limited rate of randomness. 

Secure communications with imperfect channel knowledge 
have already been the subject of previous investigations. For 
instance, several works have studied compound wiretap chan- 
nels (see [6] and references therein), in which the transmitter 
only knows that its channel belongs to a set of possible 
channels. Secure communication is often possible but the 
best channel to the eavesdropper usually limits secrecy rates. 
Other works have investigated the secrecy capacity of state- 
dependent channels under different assumptions regarding 
state information (see J3), (4J and references therein). In 
another approach, J7| has shown the existence of universal 
wiretap codes, which guarantee secrecy and reliability as soon 
as the channel capacity of the eavesdropper's channel is low 
enough. 



In contrast to the problem of channel knowledge, little 
attention has been devoted to the problem of imperfect local 
sources of randomness. In particular, the questions of how 
much randomness is required to guarantee secrecy and how 
sensitive are secure communication codes to imperfections in 
randomness are still largely open. 

In this paper, we provide partial answers to these questions. 
Our main contributions are 1) the characterization of secrecy 
capacity with a rate-limited source of randomness and a less 
capable eavesdropper's channel, 2) practical considerations on 
the effect of limited randomness for cooperative jamming, 
and 3) the derivation of a sufficient condition for secure 
communication with a non-uniform randomization. 

The remainder of the paper is organized as follows. Sec- 
tion [n] introduces the wiretap channel model used to analyze 
the effect of constrained randomization and presents our results 
on the secrecy-capacity of wiretap channels with a rate-limited 
local source of randomness. Section [Hi] discusses rate-limited 
randomness in the context of cooperative jamming. Finally, 



Section IV discusses the possibility of secure communication 
with a non-uniform local source of randomness that cannot be 
processed. 

II. Rate-Limited Randomness: Theoretical 
Considerations 

Unless otherwise specified, we consider a discrete wiretap 
channel (X , Wyz\x,y x Z), characterized by a finite input 
alphabet X, two finite output alphabets y and Z, and transition 
probabilities pyz|x- As illustrated in Figure [T] we assume that 
the transmitter (Alice) wishes to transmit a secret message 
to the receiver observing Y n (Bob), in the presence of an 
eavesdropper observing Z" (Eve). The channel (A", Wy|Xi y) 
is called the main channel while the channel (A", Wz\xi -Z) is 
called the eavesdropper's channel. We assume the eavesdrop- 
per's channel is less capable, that is for any input X we have 
I(X;Z) ^ I(X;Y). The encoding process may be stochastic, 
but the only source of randomness is a discrete memoryles^] 
source (TZ,pu) with known alphabet 7Z and known statistics 
Pr. This model captures a situation in which the transmitter 

'The assumption of a memoryless source is a matter of convenience, and 
the proofs in the appendices generalize easily to arbitrary sources. 
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Fig. 1. Communication over a randomness-limited wiretap channel. 
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does not have access to a infinite pool of random numbers, 
and those must be generated on-the-fly during encoding from 
a source of randomness (thermal noise, photon counting). In 
addition, it forces us to specify explicitly how to use the 
randomness provided by the source in the encoding process. 



Definition 1: A (2 



nR 



wiretap code C n for the discrete 



wiretap channel (X ,pyz\x,y x Z) with local source of ran- 
domness (1Z,pr) consists of the following. 

• a message alphabet M. = [1, 2 nR j; 

• an encoding function e : M. x 1Z n — > X n ; 

• a decoding function / : y n — > M U {?}. 

The performance of C n is measured in terms of the average 
probability of error P e (C n ) = p(m ji M|C„) and of the 
secrecy leakage L(C n ) = E(M;Z n |C„) 

Definition 2: A rate R is achievable if there exists a se- 
quence of (2 nR , n) wiretap codes {C n } n ^i such that 

lim P e (C n ) = and lim L(C n ) = 0. 

The (strong) secrecy capacity with rate-limited randomness C 8 
is defined as the supremum of all achievable rates. 

Remark 1: The definition of a wiretap code above implic- 
itly allows the encoder to process the observations obtained 
from the local source of randomness. In particular, the encoder 
can remove a possible bias in the randomness. What happens 
when the encoder does not perfectly process the local source 
is discussed in Section |IV] 

Proposition 1: The secrecy capacity of a wiretap channel 
(X, Wyz\x,y x Z) with a rate-limited source of local ran- 
domness (1Z,pr) and a less capable eavesdropper's channeQ 
is 

C s = max (I(X;Y|U) -I(X;Z|U)) 

Puvxvz ^'P 

where the set V is the set of distributions puxyz that factorize 
as puxvz = PuPviuPxiv^yzix and with I(X; Z|U) sC H(R). 
Proof: See Appendix [A] and Appendix [B] ■ 
Remark 2: Using standard techniques, one can show that 
the cardinality of U is bounded by \U\ ^ 2. 
The expression in Proposition [T] is similar to that obtained 
in (2] Corollary 2]. The effect of the local source of ran- 
domness explicitly appears in the expression through the 

2 We used the less capable assumption to avoid dealing with the problem of 
channel prefixing. Days before submitting the current paper, [8] was posted 
on ArXiv and independently solved the general case. Proposition ^ appears 
as (8] Corollary 12]. 



Fig. 2. Cooperative jamming with rate-limited randomness. 



auxiliary time-sharing random variable U and the constraint 
I(X;Z|U) ^ H(R). Proposition [T] confirms the optimal struc- 
ture of the encoder, which performs two distinct operations: 

1) Uniformization: the encoder generates nearly-uniform 
random numbers U r at rate H(R) from the local source 
of randomness; 

2) Randomization: the encoder uses a fraction I(X; Z|U) 
of the randomness rate to randomize the choice of a 
codeword; 

The identification of the optimal encoder structure suggest 
that non-uniform randomization may affect the performance 
of a code, which we discuss in Section [IV] Proposition [T] also 
highlights that the common folklore in information-theoretic 
security, according to which secrecy is achievable provided the 
randomization can exhaust the capacity of the Eve's channel, 
is somewhat misleading. If the source provides a non-zero rate 
of randomness (H(R) > 0), then the secrecy capacity with a 
rate-limited source of randomness is positive if and only if 
the secrecy capacity with unlimited randomness is positive. 
Intuitively, this happens because the channel seen by Eve is 
an "effective channel", which is partly controlled by Alice 
through time-sharing and the choice of the codebook. 

Also note that if the rate of randomness vanishes, then 
no secure communication is possible. This confirms that, 
except for pathological channels (for instance, one for which 
I(X; Z) = for any X), one cannot replace the local source 
of randomness by a pseudo-random number generator without 
losing the information-theoretic secrecy guarantees. 

III. Rate-Limited Randomness: Practical 
Considerations 

It is legitimate to wonder how the results of previous 
sections generalize to continuous channels and, in particular, 
to Gaussian channels. There are no conceptual difficulties 
in analyzing the randomization part of the encoder since 
I(X;Z|U) remains finite with a power constraint; however, 
the simulation of Gaussian noise plays a key role in multi- 
user wiretap channels |9| as a means to perform cooperative 
jamming. 

We analyze the situation illustrated in Figure [2] in which 
an eavesdropper observes the output of an AWGN channel 
with noise variance a 2 and suffers from the added interference 
of a cooperative jammer (Adam). The signal obtained by the 



eavesdropper is then 



where X" is the codeword transmitted by Alice, C n is the 
interference introduced by Adam, and N™ is the channel noise. 
Cooperative jamming would consist in generating C" i.i.d. 
according to a Gaussian distribution. With a local source of 
randomness, the following results holds. 

Proposition 2: With a local source of randomness (7\L,pj>), 
a cooperative jammer can induce artificial Gaussian noise with 
power p ^ a 2 2 2 ^~\ 

Sketch of proof: The result follows by remarking that the 
objective of cooperative jamming is to increase the variance of 
Gaussian noise at the eavesdropper's terminal; therefore, the 
distribution of C" + N™ should be close to Gaussian, but C ra 
itself need not be Gaussian. In particular, the sequences C" can 
be chosen from a codebook with average power constraint p; 
the result of channel resolvability over Gaussian channels ifTOl 
guarantees there exists a codebook with rate arbitrarily close to 
\ log(l + £2) so that the distribution of C" + N™ is arbitrarily 
close to Af(a 2 + p). Since the rate of the codebook is given 
by the rate of the source H(R), the result follows. ■ 
Consequently, rate-limited randomness effectively translates 
into a power constraint on the Gaussian artificial noise that the 
encoder introduces to jam the eavesdropper. Therefore, rate- 
limited randomness reduces the effectiveness of cooperating 
jamming but does not preclude it. 

IV. Non-Uniform Rate-Limited Randomness 

The result of Proposition [T] suggests that one should always 
"uniformize" the local source of randomness to create uni- 
formly distributed random numbers. This operation, however, 
may be imperfect and one may wonder whether achieving 
secrecy is then still possible. A situation where the random 
numbers may not be perfectly uniform is if the local source 
of randomness is another message source; understanding this 
setting is crucial to assess whether secrecy constraints incur 
an overall rate loss or not |4|. 

For simplicity, we assume that the output of uniformization 
is a random variable U r £ [1, 2 n/?r ] with perhaps non-uniform 
distribution pu r - In this case, we show that secrecy is still 
achievable, but at a lower rate limited by the Renyi entropy 
rate of order two ^R,2(U r ) where 

# 2 (u r ) = - log j Yl ? u » 2 

Proposition 3: A secrecy rate R is achievable when ran- 
domization is performed with randomness U r if it satisfies 

R< max (I(X;Y|U) -I(X;Z|U)), 

PUXYZS'P 

where V is the set of distributions I(X; Y|U) that factorize as 
PuPxiuVFyzix and such that I(X;Z|U) < ^i? 2 (U r ). 

Proof: See Appendix [C] ■ 
It is not straightforward to establish a converse for Proposi- 
tion[3]because typical converse arguments make no assumption 



regarding the internal structure of the encoder. In particular, it 
seems difficult to include a constraint that would prevent any 
processing of U r . 

In general, -i?2(U r ) ^ -H(U r .), and the constraint in 
Proposition [3] is therefore more stringent than in Proposition [TJ 
The effect can be quite dramatic, and the following example 
shows that the gap between the rates in Proposition [T] and 
Proposition [3] can be large. 

Example 1: Assume the encoder performs randomization 
with a biased local source of randomness, which produces 
random numbers U r £ fl,2™ fl J such that 



P(U r 



1) 



>— naR 



and P(U r 



1 



y — naR 



if i ? 1, 



2 nR - 1 

where a g]0; \ [ is a parameter that controls the uniformity of 
the distribution. Note that 

lim ~-R 2 (Ur) = otR whereas lim wH(U r ) = R. 

Consequently, without proper uniformization, the achievable 
rates predicted in Proposition [3] could be arbitrarily small. 
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Appendix A 
Converse Proof for Proposition!]] 

Let e > and let R be an achievable rate. Then, there exists 
a (2 nR ,n) code C n such that P e {C n ) ^ e and L(C n ) < e. 
Following the converse technique in J2), we obtain 



^(iJMjYjIY* -1 ^ 1 !- i(M:Z,|Y' i Z''~ l 



1=1 

where Y i_1 ' <v »' 1 7<>J ■- 



{Y,}}-;, Z»+* ^ {Z^U+i ^d 5(e) is a 
function of e that goes to zero with e. Next, by definition of 
the encoder e and by independence of R n and M, 



-H(X n |M) = -H(e(M,R")|M) — H(R n ) 
n n n 

Now, we also have 



(R). (1) 



i 



H(X n |M) 



= -H(X") - -H(M) + -H(M|X") 
n n n 

^ -H(X") - -H(M) + -H(M|X") + -I(M:Z") - 5(e) 

n n n n 

= -H(X") - -H(M|Z") - 5(e) + -HfMIX") 
n n n 

= -H(X n ) - l W{MX n \Z n ) + -H(X n |MZ n ) 
n n n 

+ -H(M|X") - 5{e) 
n 

= -I(X"; Z") + -H(X"|MZ") - 5(e) 
n n 

>h(X n ;Z n )-S(e), (2) 



where the last inequality follows because M — > X™ — > Z™ 
forms a Markov chain and H(M|X"Z Tl ) = H(M|X"). Then, 

-I(X n ;Z") 
n 

= ~ E (H(Zi|z i+1 ) - e(z l |x n z i + 1 )) 

i=l 
1 n 

> - J2 (^(Z.IY 1 - 1 ^ 1 ) -h(z,|Y 1 - 1 Z 1 + 1 X 1 )) 

i=l 
1 n 

= -^l(x i ;Z l |r- 1 Z I+1 ), (3) 

i=l 

where the inequality follows because conditioning does not 
increase entropy and 2 J+1 Y J_1 — > Xj — > Z; forms a Markov 
chain. Let us now define a random variable Q independent of 
all others and uniformly distributed on [l,n]. For i £ [1, n], 
we also define U, = Y*" 1 !^ 1 and V, = U;M. Combining 
inequalities ([l}, (j2j, and ((3), and substituting the definition of 
Q, 1_L, Vj above, we obtain 

R < I(V Q ; Y q |QU q ) - I(V Q ; Z Q |QU Q ) + S(e) (4) 
H(R) >I(X Q ;Z Q |QU Q )-<5(e). (5) 

Finally, define U = U Q Q, V = V Q Q, X = X Q , Y = Y Q and 
Z = Zq. Note that U -> V ->• X ->• YZ forms a Markov chain 
and that the statistics pyz\x are those of the original channel 
WyziX' Substituting these definitions in Q and Q, we obtain 

R sc I(V; Y|U) - E(V; Z|U) + 5(e) 
H(R) >I(X;Z|U) -<5(e). 

Because the eavesdropper's channel is less capable, then 
I(V; Y|U) - I(V; Z|U) I(X; Y|U) - I(X; Z|U). Since e can 
be chosen arbitrarily small, we obtained the desired converse. 

Appendix B 

ACHIEVABILITY PROOF FOR PROPOSITION[T] 

The proof relies on binning, superposition coding, and 
stochastic encoding as in ||2] Lemma 2]; however, since the 
local source of randomness is explicit and since we impose 
a strong secrecy criterion, some details must be laid out 
carefully. We denote the set of e-strongly typical sequences 
with respect to px by T™(X) and the set of conditional e- 
strongly typical sequence with respect to pyx and x n G T"(X) 
by T^Y\x n ). 

We first show the existence of a code C n assuming an 
unlimited amount of uniform randomness is available. We fix a 
joint distribution p U x on U x X such tha|^]l(X; Z|U) H(R) 
and I(X;Y|U) - I(X;Z|U) > 0, and we construct a code 
C n for the broadcast channel with confidential messages 
(X,PYZ\X,y x z )- Let e > 0, i? > 0, R r > 0, R > 
and n £ N. We randomly construct a code as follows. We 
generate 2 nR ° sequences independently at random according 

3 If such a probability distribution does not exist, then the result of 
Proposition [Tl is trivial and there is nothing to prove. 



to pu, which we label u n (i) for i £ [l,2 nfl °]. For each se- 
quence u n (i), we generate 2 n ^ R+Rr ^ sequences independently 
a random according to px\u, which we label x n (i,j,k) with 
j £ [1,2"""] and k £ [1,2™^]. To transmit a message 
i £ [l,2 nflo ] and j £ [1,2"""], the transmitter obtains a 
realization A; of a uniform random number U r £ [l,2 niir ], 
and transmits x n (i,j, k) over the channel. Upon receiving y n , 
Bob decodes i as the received index if it is the unique one 
such that (u n (i),y n ) £ T™(UY); otherwise he declares an 
error. Bob then decode (j, k) as the other pair of indices if 
it is the unique one such that (x n (i, j,k),y n ) £ T"(UXY). 
Similarly, upon receiving z n , Eve decodes i as the received 
index if it is the unique one such that (u n (i), z n ) £ T"(UZ); 
otherwise she declares an error. 

Lemma 1: If R < min(I(U; Y),I(U;Z)) and R + R r < 
I(X;Y|U), then E(P e (C n )) 2~ an for some a > 0. 

Proof: The proof follows from a standard random coding 
argument and is omitted. ■ 

Lemma 2: If R r > I(X; Z|U), then we have 
Ec„(V(p M Z",PMPZ")) < 2- 0n for some p > 0, where V 
denotes the variational distance. 

Proof: Lemma [2] is a special case of Lemma [4] proved in 
Appendix [C] ■ 
Using Markov's inequality, we conclude that there exists 
at least one code C n satisfying the rate inequalities in 
Lemma [I] and Lemma [2] such that P e (C n ) ^ 3 ■ 2~ an and 
V(pmm Z",PmPm Z") ^ 3 • 2~ /3n . Finally, the uniform 
numbers U r can be approximately obtained from (Tl, p-g) with 
an appropriate function 0. 

Lemma 3 (adapted from /[771/): If R r < H(R), then there 
exists 4> such that "V(p,p(R^),pu r ) ^ 2~ nv for some i] > 0. 
Consequently, it is not hard to show that, even if the code C n 
is used with <j>(R n ) in place of U r , then 

P e (C n ) < 2- Kn and V(pmm„Z",PmPm„Z") < 2~ Kn . 

for some re > 0. The fact that L(C n ) ^ 2~ K ' n for some k' > 
follows from lfl2l Lemma 1]. Combining all rate constraints 
in the previous lemmas, and since e can be chosen arbitrarily 
small, we see that any rate R < I(X; Y|U) - I(X;Z|U) such 
that I(X;Z|U) H(R) is achievable. Note that the constraint 
on i?o plays no role since it represents a negligible rate of time 
sharing information to synchronize transmitter and receiver. 

Appendix C 
Proof of Proposition!!] 

The proof is similar to that Appendix [B] with Lemma |4] in 
place of Lemma [2] Lemma [2] is obtained in the special case 
of U r uniform. 

Lemma 4: If ^R 2 (U r ) > I(X;Z|U), then we have 
Ec„(V(pmz",PmPZ")) < 2-* n for some p > 0. 
The proof relies on a careful analysis and modification of 
the "cloud-mixing" lemma |fT3l and the notation is that of 
Appendix [B] We define the distribution qu"X"Z" on 1A n x 
X n x Z n as 

gu«x«z«K,x", Z ") = W zn{xn (z n \x n ) PX n U n(x n > u n ). 



First note that the variational distance V(pmz™ ,PwiPz n ) can 
be bounded as follows. 

V(pmz",PmPz") 

«S %mu»z»,PmPu»z») 

= Eu»m(V(pz"|mu">Pz»|u»)) 

Eu"M(V(p Z n| MU „,q z „| U „) + V(<7 Z „| U >.,p z „|u")) 
< 2E U "M(V(p Z r 1 |MU",9Z"|U")) 

Then, let U™ be the sequence in U n corresponding to Mo = 1. 
By symmetry of the random code construction, the average 
of the variational distance V(pmz™ ,PMPz n ) over randomly 
generated codes C„ satisfies 

Ec„ (V(?mz» , PmPz™ )) 

< 2Ec n (V(p z »|u»=ujM=i 5 ?z«|u™=u™)) ) 

where 

)= E W ZnlXn (z n \x n (l,l,k))p u Jk). 

k—l 

The average over the random codes can be split between the 
average of U™ and the random code C„(it") for a fixed value 
of m™, so that 

E c„ (V(pz»| U « =u?M=1 , ?Z»|U»=U? )) 

= E ^U"«)E C „(«p)(V(p Z »| U « = „n M=1 ,g Z „| U „ = „n)) 

sc 2P(U™ ^ TJ l (U)) 

+ E PU«(Wl)E Cn („n ) (V(p Z n| U n = „ rM=1 ,g Z n| U n =u? )), 
u?eT"(U) 

where the last inequality follows from the fact that the varia- 
tional distance is always less than 2. By construction, the first 
term on the right-hand side vanishes as n gets large; we now 
proceed to bound the expectation in the second term. First note 
that, for any z n 6 Z™, 

Ec n («»)(PZ»|U«=u«M=l(z")) 

(2 nR r 
£ W ZnlXn (z n \x n (l,l,k)) PU r(k) 
k=l 

= ]T E CnK) (^z"|x« (z n \x n (l,l,k)))p U r(k) 
fc=l 

= <7z»|U"=«?(z n )- 
We now let 1 denote the indicator function and we define 

2 nR r 

4 £ W z »| X »(* B |:r B (l,l,*))Pu P (fc) 
fe=i 

i{(^(i,i,fc),z n )er e "(xz|<)}, 

p(2) (z n } a £ W z », x -(«"|a:"(l, 1, *r))pu^(A:) 
fe=i 

l{(^(l,l,fc),z")^T e "(XZ|<)}, 



so that we can upper bound V(p Z n| U »=i,«M=i, 3Z"|U»=u» 



as 

V(pz"|u™=u5*m=i, 9Z"|u™=«5*) 

< £ |Pz«|u»=uyM=iOO - 9z»|u»=«f (^")| (6) 

z"£T e "(ZK) 

+ £ U 1 )(^)-E(p«(z n ))| (7) 
2 "eT e "(z|«™) 

+ y y 2 \z n )-v.(p^{z n ))\. (8) 

Z " S T e "(Z|«J) 

Taking the expectation of the term in |6]) over C„(it"), we 
obtain 

I £ |Pz»|u»=«?ivl=iO n ) ~ 9z»|U»=«? (z")| 

Z "^T»(Z|«") 

sC £ E(max(p z „| U „ =urM=1 (z"),g z , 1 | U „ =ur (z™))) 

2 »^Tf(Z|«f) 

£ 9z-|U"=<( z ")' 

*»gTf(ZK) 

which vanishes as n goes to infinity. Similarly, taking the 
expectation of the term in (|8]l over C„(u"), we obtain 



E |p( 2 >(z")-E( p ( 2 >(z"))|] 
»eT e »(ZK) / 

^e(j2 |p (2) (^)-e(p (2) (^))|) 



<: 



E E (2 V) 



E E(W z „| X „(^"|X n (l,l,l)) 



z n 6Z n 

l{(X"(l,l,l),z")^T e "(XZ|<)) 
E 9z"X"|U"=<(^ l ,a;™), 

(a;' l ,z™)^T e "(XZ|M! | 1 ) 

which vanishes as n goes to infinity. Finally, we focus on 
the expectation of the term in |7) over C„(u"). For z n 6 
T"(Z|m"), Jensen's inequality and the concavity of x 
guarantee that 



E 



-E(p (1) (z")) ) sC y / Var(p( 1 )(z")) 



In addition, 



Var(p«(z")) = Epu,.(fc) 2 Var(M/ z „| X ,(^|X"(l,l,fc)) 

l{(X"(l,l,fc),z")eTJ l (XZ| U ' 1 1 )}) 



Note that 
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Hence, if > I(X; Z|U) + (5(e), the sum vanishes as n 

goes to infinity, which concludes the proof. Note that if U r is 
uniform, then i?2(U r ) = nR r , and we obtain Lemma [2] 



